From bf8bd3c48d5d9420f6fde3331467c8dd41a26c6b Mon Sep 17 00:00:00 2001 From: nsfisis Date: Sat, 21 Mar 2026 17:08:17 +0900 Subject: feat(worker): block eval() in PHP code submissions Add validation to reject PHP code containing eval() before execution. Update the problem description to inform participants about this restriction. Co-Authored-By: Claude Opus 4.6 (1M context) --- worker/php/exec.mjs | 17 ++++++++++++++++- worker/php/lib.mjs | 11 +++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) (limited to 'worker/php') diff --git a/worker/php/exec.mjs b/worker/php/exec.mjs index f1cb361..650d4df 100644 --- a/worker/php/exec.mjs +++ b/worker/php/exec.mjs @@ -1,7 +1,22 @@ -import { buildResult, createIOCallbacks, preprocessCode } from "./lib.mjs"; +import { + buildResult, + createIOCallbacks, + preprocessCode, + validateCode, +} from "./lib.mjs"; import PHPWasm from "./php-wasm.js"; process.once("message", async ({ code: originalCode, input }) => { + const validationError = validateCode(originalCode); + if (validationError) { + process.send({ + status: "runtime_error", + stdout: "", + stderr: validationError, + }); + return; + } + const code = preprocessCode(originalCode); const io = createIOCallbacks(input); diff --git a/worker/php/lib.mjs b/worker/php/lib.mjs index d877856..a5f10ab 100644 --- a/worker/php/lib.mjs +++ b/worker/php/lib.mjs @@ -9,6 +9,17 @@ const PRELUDE = ` const BUFFER_MAX = 10 * 1024; +const FORBIDDEN_CONSTRUCTS = [/\beval\b/i]; + +export function validateCode(code) { + for (const pattern of FORBIDDEN_CONSTRUCTS) { + if (pattern.test(code)) { + return `Forbidden: eval() is not allowed`; + } + } + return null; +} + export function preprocessCode(originalCode) { if (originalCode.startsWith("